What is AI regulation in Cambodia?
AI regulation: countries and regions
Cambodia does not have an enacted, dedicated AI law as of June 2026. Its AI governance is emerging through policy and draft instruments: the Cambodia Digital Economy and Society Policy Framework 2021 to 2035, the Digital Government Policy 2022 to 2035, a draft National AI Strategy, and work on a draft AI governance framework. Data protection is also still moving toward dedicated legislation, not a live comprehensive statute.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Cambodia's AI governance is still mostly policy-led. The state has published long-term digital policy documents, started drafting an AI strategy and an AI governance framework, and linked that work to digital government, cybersecurity, data governance and digital skills. But that is not the same thing as having a single AI Act with fixed duties, a risk classification system, or one specialist AI regulator.
That means the practical picture is mixed. Existing hard law still matters, especially the laws and rules that already govern telecommunications, e-commerce, consumer protection, digital signatures and other digital activity. At the same time, major pieces of the future framework, including a comprehensive personal data protection law, a digital government law and a data governance policy, were still being developed in official materials into 2026.
Cambodia is also moving in an ASEAN direction. Its ministries have taken part in the ASEAN Guide on AI Governance and Ethics and related regional work on generative AI and responsible AI. So for now, the country's AI regime is best understood as a blend of existing digital law, government policy, institutional coordination and regional soft law.
Why it matters
For founders, buyers, deployers and advisers, the main risk is assuming there are no rules because there is no AI Act. In practice, AI systems can still create liability through data handling, cybersecurity, misleading consumer-facing uses, procurement commitments, public-sector interoperability rules and sector-specific obligations. The government is also plainly moving toward tighter governance, so weak internal controls now can become expensive later.
The safest approach is to treat Cambodia as a jurisdiction where governance discipline matters before dedicated AI legislation arrives. Keep records of what your models do, what data they use, who approves high-risk use cases, how humans can override them, and how incidents are reported. That reduces present-day operational risk and leaves you better prepared if draft laws or policies are finalised.
How it works
No dedicated AI act yet
As of June 2026, I have not identified an enacted Cambodian AI statute in official sources. The official AI material instead consists of policy documents, draft strategy work, consultations and governance planning. Cambodia's current hard-law baseline is therefore indirect. Official policy materials point to existing digital laws such as the Telecommunications Law, the Sub-decree on Digital Signatures, the E-commerce Law and the Consumer Protection Law, while AI-specific governance is still being assembled through policy and draft instruments.
The master framework is digital transformation
The deepest layer is the Cambodia Digital Economy and Society Policy Framework 2021 to 2035. It acts as the state's master blueprint for digital transformation and sets the institutional architecture above the AI discussion. That architecture centres on the National Digital Economy and Society Council, supported by the Digital Government Committee, the Digital Economy and Business Committee, the Digital Security Committee, a General Secretariat and an Advisory Board for Digital Technology. In practical terms, AI is being folded into this wider digital state agenda rather than being governed through a separate legal silo.
MPTC appears to be the operational lead
Official AI process documents place the Ministry of Post and Telecommunications at the centre of Cambodia's AI policy work. The ministry has led the drafting of the National AI Strategy, prepared a National AI Governance Framework draft, coordinated consultations, and linked Cambodia's work to ASEAN and UN-ESCAP processes. The Digital Government Committee then appears as a key review body for draft instruments. That matters because organisations engaging with Cambodia on AI policy should expect committee review, consultation and staged policy development rather than a single regulator issuing a full AI rulebook.
Data protection and data governance remain unfinished
Cambodia's 2021 digital policy framework openly said the country still needed a Data Protection and Privacy Law. The subsequent Digital Government Policy made data governance, open data, data exchange and data protection core priorities for state modernisation. But official material continued to describe the Personal Data Protection Law, the Digital Government Law and a Data Governance Policy as drafts into 2026. So the direction of travel is clear, but the comprehensive data protection framework is still incomplete. Organisations should therefore avoid treating Cambodia as having a settled privacy regime on the model of the UK GDPR.
Public-sector AI is framed through digital government
Cambodia's Digital Government Policy aims to build a smart government through interoperable systems, shared infrastructure, data exchange through CamDX, digital identity tools, technical standards and later use of AI in data-driven governance. In other words, when the state discusses AI use in government, it is usually attached to digital public service reform and data architecture. If you build for government, issues like interoperability, security, records, accountability and fit within common platforms may matter just as much as model performance.
ASEAN context matters, but mostly as soft law
Cambodia is not acting in isolation. Official MPTC materials show participation in ASEAN work on the ASEAN Guide on AI Governance and Ethics, the expanded guide for generative AI and the ASEAN Responsible AI Roadmap. Those instruments are voluntary, not a binding ASEAN AI code, but they are still important. They signal the regional language Cambodia is using to think about accountability, testing, security, incident handling, trusted deployment and cross-border trust.
The practical reading is policy first, controls now
Taken together, Cambodia currently looks like a jurisdiction where policy, committee governance and draft law are running ahead of a dedicated AI statute. That does not mean businesses should wait passively. It means they should build governance now: documented use cases, role clarity, human oversight, data maps, testing records, supplier review and an internal AI impact assessment process. When law catches up, organisations that have already done that groundwork should be in a much stronger position.
Examples
A ministry or public body wants to add AI to a digital service. It does not start with a standalone AI Act, because there is not one. The more realistic route runs through the Digital Government Policy, the Digital Government Committee, interoperable systems, common technical standards, public-sector data exchange and the wider drive toward smart government.
A trade body, technology firm or university wants to influence Cambodia's direction of travel. In 2025 the MPTC opened public consultation on the draft National AI Strategy and ran workshops and bilateral meetings with ministries, private sector participants, academia, civil society and development partners. In Cambodia, policy shaping has therefore happened through consultation and committee review, not only through a finished statute.
A company wants to launch an AI product that relies on customer or employee data in Cambodia. Official materials still described key personal data and digital government instruments as drafts in 2026, so there is no excuse for waiting for a perfect final text before building controls. The prudent workflow is to define data inputs, set access rules, document vendor roles, create retention and deletion practices, and prepare incident escalation before the legal framework hardens.
Common misunderstandings
"Cambodia already has an AI Act." No. The official picture is draft strategy work, draft governance work and digital policy, not an enacted AI statute.
"If there is no AI Act, there are no rules." Wrong. Existing digital, consumer, telecoms, security and sector rules can still apply to AI use.
"The Personal Data Protection Law is already in force." Not from the official material reviewed here; official pages in 2026 still described it as draft.
"ASEAN's AI guide is binding law in Cambodia." No. It is regional guidance and a policy reference point, not a directly binding AI code.
"Cambodia has one specialist AI regulator." Not clearly. Official materials point instead to committee-based coordination and MPTC-led drafting.
Risks and boundaries
The main boundary is that much of Cambodia's AI framework is still being built. Draft strategies, draft policies and draft laws can change before adoption, and official target dates are not the same thing as promulgation.
There is also a visibility limit. Some official sources explain direction and process more clearly than they publish final legal text. That means organisations should not infer detailed rights, exemptions, penalties or regulator powers until a final instrument is formally issued.
Finally, AI governance in Cambodia is unlikely to sit in one place only. Even without a dedicated AI law, duties can arise from telecoms regulation, e-commerce, cybersecurity, public-sector digital architecture, procurement, and sector-specific requirements. This article is an explanatory overview, not legal advice.
What to do next
Start with a control map, not a label. Identify every AI use case in Cambodia, or affecting Cambodian users, and record who owns it, what data it touches, whether it affects customers, workers or citizens, and whether it connects to any public system or regulated workflow.
Build the basics now: approval gates for higher-risk use, vendor due diligence, model and prompt testing records, human review, fallback procedures, incident logging and clear responsibility for data quality and access. If you operate across ASEAN, align those controls with regional good practice rather than waiting for a local AI law to force the issue.
Then watch the official pipeline closely. Track MPTC and related committee publications for movement on the draft National AI Strategy, the draft AI governance framework, the Data Governance Policy, the Personal Data Protection Law and related digital government legislation. If Cambodia matters to your organisation, prepare an AI impact assessment process before the framework hardens.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Cambodia have a dedicated AI law?
No. As of June 2026, the official picture is policy and draft framework development rather than an enacted AI statute.
Is Cambodia's National AI Strategy in force?
Official materials reviewed here still referred to it as a draft into 2026, so it should not be treated as a final binding instrument.
Does Cambodia have a comprehensive personal data protection law?
Not yet in the official material reviewed here. Personal data protection legislation was still being described as draft in 2026.
Who is leading AI policy work in Cambodia?
In practice, the Ministry of Post and Telecommunications appears to be leading the drafting and consultation work, within the wider committee structure created for digital economy and digital government policy.
Are ASEAN AI guides legally binding in Cambodia?
No. They are voluntary regional guidance, but they still matter because they influence the language and direction of Cambodian policy work.
Can companies deploy AI in Cambodia now?
Yes, but they should not assume a legal vacuum. Existing digital and sector rules still matter, and future draft instruments could tighten expectations.
What is the biggest compliance mistake to avoid?
Assuming you can wait for a future AI law. In Cambodia, the smarter approach is to build governance controls now and monitor the official draft pipeline.